Vidar

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This upgraded version of Arkei stealer has been terrorizing the internet since 2018.

Type
Trojan
Origin
ex-USSR
First seen
1 December, 2018
Last seen
18 January, 2020
Also known as
Arkei
Global rank
21
Week rank
23
Month rank
19
IOCs
577

What is Vidar / Arkei malware?

Vidar is an information stealer Trojan that was first identified in December 2018. It is either a fork of Arkei or the result of its evolution. Named after the god of vengeance from Scandinavian mythology, Vidar is used to steal information from infected machines, take screenshots, steal cryptocurrency and more.

General description of Vidar

Vidar is presumed to have originated in a Russian speaking country since the malware is configured to stop execution if it detects that it is being run on a machine that is located in one of the ex-USSR nations or on one that has a Russian keyboard layout.

Being another malware that is available for purchase based on the MaaS ( Malware-as-a-Service ) business model, Vidar can be purchased on its “official” website for a hefty price tag of $700, at least for the PRO version. Though, a stripped-down version of the malware can be obtained for just $250.

Vidar is written in C++ programming language. Purchasing account grants the attacker access to a control panel where the malware can be set up by the cybercriminal to target particular information on the victims’ PC. Similarly to Arkei, Cybercriminals need to take precautions to secure the main payload themselves, using a cryptor or a packer. The control panel displays the current builder version, user settings, malware status, and logs. It should be noted that domain names which Vidar uses to search for C&C servers, where stolen data is being dropped to, change every four days.

Vidar is capable of stealing text files in multiple formats, browser cookies and history, browser records, including data from TOR, as well as autofill value information including banking and credit card details. In addition, the malware can search for cryptocurrency wallet information, take screenshots and record private messages from various software.

What’s more, Vidar is also known to be able to steal digital coins from offline wallets. In fact, holders of Litecoin, Bitcoin, Ethereum, Zcash, and DashCore are in potential danger, as these are the cryptocurrencies currently supported by the malware.

After collecting all targeted information, the malware archives it and sends the stolen data to a control server, after which Vidar removes traces of its work and deletes itself from the system.

Vidar malware analysis

A video recorded in ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of Vidar.

arkei execution process graph

Figure 1: A visual process graph generated by ANY.RUN

text report of the arkei malware analysis

Figure 2: The customizable text report provided by ANY.RUN is a perfect tool to share the results of an analysis

Vidar execution process

After the user downloads and runs a malicious file it spawns a child process and starts to collect information from the infected device. Often, after the information was collected the malware kills and deletes itself through a command line command.

How to avoid infection by Vidar?

When spread via spam email campaigns, Vidar stealer requires the user to download and run a malicious file in order to enter an active state and begin execution. Therefore, following some basic online safety rules can ensure that users will stay safe from this malware.

As such, users should be careful when downloading attachments in emails from unknown senders. The best practice is to avoid downloading such files altogether, therefore not putting oneself in danger at all.

In addition, downloading only licensed software from trustworthy sources and avoiding gaming hacking clients greatly reduced the risk of being infected with malware such as Vidar which uses these attack vectors to infect victims.

The distribution process of Vidar

Like other malware, Vidar / Arkei is distributed through spam email campaigns as a malicious attachment. In addition, cases of Vidar being distributed using shady software and gaming hack clients have also been recorded. Vidar targets users all over the world with the exception of some ex-USSR countries, including Russia.

How to detect Vidar / Arkei using ANY.RUN?

Some malware creates files in which it named itself. You can find such info about Arkei trojan using ANY.RUN's "Static Discovering". Open either "Files" tab in the lower part of the task's window or click on the process and then on the button "More Info" in the appeared window. After that, all you need to do is just click on the file.

arkei vidar log file Figure 3: Arkei's log file

Conclusion

Vidar / Arkei is a highly dangerous information stealer trojan, distributed as malware as a service. Thanks to its extensive stealer feature set, Vidar trojan can be used to retrieve a wide variety of information, including steal select cryptocurrency coins from the users. Additionally, Vidar is capable of stealing data from TOR.

Thankfully, malware hunting services like ANY.RUN allows researchers to conduct extensive studies of malware samples in a secure environment, allowing to spread information about the danger and develop effective countermeasures.

IOCs

IP addresses
18.205.93.0
208.95.112.1
88.99.66.31
208.95.112.1
209.141.34.150
141.8.194.149
18.205.93.1
18.205.93.2
31.31.198.66
185.38.151.11
77.222.40.21
212.103.61.113
92.63.192.234
185.178.208.143
185.228.83.84
169.239.129.65
2.57.89.2
92.119.113.254
194.87.237.214
185.212.130.11
Hashes
e0433ad439b1dd4e4ac81245f851f4895c9b129711d79cd6db4fcc2be6ea1ed5
499d1701649a739d743e550e4b1633f3e4dedb23e5767295b4accd86d634ceed
c19e76e44d406ef05df822cfec73f69a37ccb5915221c822bc11d15da2cba8a4
42fcad57895527a939eb4b388b530b2360139bba925740e31533ccd4e75678d7
71f4caac245260bc24d9a0560e989c9fa0d1dce4e0a13d9172aaa1c0bd7719c9
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061
9b30834870fae481177af03c97b435862fcf67e51f3e85433ab772cf698f8d2e
b1b36179c58edbb01a50f7546085c98b6730ae63e7823be8c5cd53f49547c03e
d9a5834ba43f23b655430459e7b4a680ccba4493e6973497b16c21b56d25e1e4
0a5de60f8d242caa0bd01cb811358ce2fc9f2f8530013ab650d8ac1950cff5e1
86760e47df3a06bd8c64159d9870278d20a68347c3182ecd45dce2a9c0f5d8a0
41cf134f2aca4e90b546fa555ad27dd14fffd1fb6b676791a7275f74592493ff
93b67991eef92905e0d9d4d25d8f71d7b33b9fb15b9be623882073a9092f0dd7
238d7cb72fb89148c142e7cb415a6e4767285d36fab9f5dc4b5ca508db0742ff
bb5801032d15784f7a0f9c278e8dae4c292125338413e8d8b05c1d015943de3d
40849c0f5f42841e181fd6d62223f791269d24f78123288c2eaa7540918568a0
d03639544e5643ea911c4e3fe96dcc32d32e7575cf878f90d5bd851c01cade1f
ebebe290fa2a4efa26dc924dd0df79be9dd8057587be7d58823a3d016736e7ab
c35f6187f3149b3173f4401d550281d319ea0ca970d393c08a4a7e1a6b994afb
e940b576730a167180b02bdf61ca51b3dda107991f8b0139251da720aa0f89e4
Domains
demo.ip-api.com
barjamanis.com
qxq.ddns.net
thuocnam.tk
majul.com
m-onetrading-jp.com
krupskaya.com
isns.net
a0359074.xsph.ru
2no.co
temp-mail.org
iplogger.ru
elx01.knas.systems
xakfor.net
nemty10.hk
nothinginterestinghere.com
fl4shg4m35.com
optibet.ladesk.com
megunim.top
nemty.top

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More